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Response to the ICO’s Direct Marketing Code 
consultation 


Dentsu Aegis Network helps its clients win, keep and grow their best customers 
through best-in-class expertise and capabilities in media, data-driven digital 
and creative communications services. Headquartered in London, UK we employ 
48,000 people worldwide who help to service 11,000 clients - including 85 of 
the world’s top 100 advertisers. 


We welcome the ICO’s consultation on the draft Direct Marketing Code which 
provides important clarification on key data protection issues impacting our clients, our 
business and the industry more broadly. 


We support the fact that the Code now provides a more stable basis upon which 
innovative data services may be developed in alignment with the Commissioner’s 
regulatory expectations. 


Whilst we clearly understand the Code provides guidance on the law as it stands today 
within the context of direct marketing, it adopts various legal and policy positions 

that may have a significant impact on existing business models and practices within the 
market, that may have been undertaken with good justification in the absence of specific 
guidance, by some parts of the industry today. 


We note Section 122(4) of the DPA 2018 allows for transitional provisions to be adopted, 
and that a similar 12-month provision was adopted with regards to the recently published 
Age Appropriate Design Code. It would be helpful for a similar provision to be adopted in 
relation to this Code. Alternatively, the Commissioner may wish to consider the 
desirability of giving a measure of regulatory comfort to responsible businesses and 
advertisers whilst they adjust their practices to take account of the Code’s provisions. 


We've set out below a table that details specific responses to the questions posed in 
the consultation where we think it would be helpful for the Code to be amended or 
clarified prior to it being laid before Parliament. 


We hope our suggestions are helpful in further shaping the Code to ensure it protects the 
rights and freedoms of individuals, whilst ensuring businesses clearly understand their 
regulatory obligations. 


If there are any questions or clarification required in relation to our response, then please 
do not hesitate to contact us. 


Dentsu Aegis Network 
March 2020 
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Suggested amendments and clarifications 


= pe 
H LA 


his section explains that indiscriminate ‘blanket 
marketing’ does not fall within the definition of direct 
marketing, and the example given is of leaflets being 
delivered to every house in an area. 


his suggests that delivering advertising to 
geographical segments that have not been derived 
rom personal data, for example “all households in 
postcode area AB1 2CD” would not be considered as 
marketing ‘directed to’ particular individuals. 


hat being the case, it would be helpful for a specific 
example to be provided in this section. 


Further, it may be the case that an advertiser wishes 
o send postal marketing to select postcodes or 
postcode areas to send advertising based upon the 
modelling across of an anonymised dataset(s) 
(where the creation of the dataset itself is 
undertaken in compliance with the GDPR). 


ould it be clarified whether in such cases: 


The advertising would still be considered 
indiscriminate ‘blanket marketing’ and outside 
the scope of the Code; and 


Whether the processing would still be 
considered as having been undertaken for a 
marketing purpose. 


How does consent apply 
o direct 
marketing? (p33) 


he Code states: 


“where possible you should provide granular consent 
options for each separate type of processing 
eg consent to profiling to better target your 
arketing or different methods of sending the 
arketing), unless those activities are clearly 
interdependent - but as a minimum you must 
specifically cover all processing activities”. 


his suggests that consent would need to be 
unbundled, and that the data subject would need to 
give separate indications of consent for different 
processing operations such as: 


e Data matching 

e Data appending 

e Analytics and modelling 
e Merging datasets 


It would be helpful for the ICO to clarify whether it’s 
he Commissioner’s expectation that data subjects 

ould need to provide a series of affirmative actions, 
Such as checking separate boxes, for each of the 
purposes highlighted above - or whether she 
onsiders it may be appropriate, with sufficient 
ransparency, for these purposes to be bundled 
ogether as a single consent option. 


Much of this processing is interrelated, and 

herefore grouping these types of similar processing 
into a single clearly explained choice, rather than 

a series of separate choices, would make more 
Sense to the individual and prevent the collection of 
onsent for types of processing activities that will not 
be undertaken on the data. 


hilst a high level of granularity would, on the 
Surface, appear to be a good thing for individuals, in 
practice, it would most likely lead to consent fatigue 

hich would most certainly disadvantage advertisers 
as well as consumers. The right to object, combined 

ith transparency, should serve as an appropriate 
Safety net if undertaken properly. 


It would be helpful to understand whether the 
ommissioner’s view is a minimum legal 
requirement or a best practice recommendation in 
his regard. 


How does consent apply Advertisers may form part of a group of companies 

o direct or may form an arrangement with other businesses 

marketing? in a cooperative arrangement - for example in the 
ase of a loyalty scheme. 


Does the ICO consider it would be possible for an 
individual to give a single positive affirmation 
onsenting to all group companies or cooperative 
members (appropriately disclosed), for example by 
means of a “YES TO ALL” button, or does there need 
o be a separate unbundled consent for each group 
ompany/cooperative member, together with a 
Separate consent for each purpose? 


onsumers are not disadvantaged if their service 
request is satisfied by numerous entities within the 
Same group or cooperative members. This will 
particularly be the case where this is clearly 
explained in the consent language and through the 
privacy notice. 


It would be helpful for an example to be given 
demonstrating why the above is, or is not 


depending on the Commissioner’s view, considered 
acceptable. 


In terms of data enrichment, it would be helpful if 
he Code could explain whether the ICO considers 
he merging of offline and online data from the same 
irst party source, for example a customer purchase 
history and their logged-in online activity, should be 

Subject to a specific consent. 


Likewise, would the same position apply in relation 
o data obtained from a third-party source? An 
example illustrating the specificity of consent for 
hese activities would be helpful. 


he Code states that legitimate interests may be 
relied upon where consent is not required under 
PECR and “...you can show the way you use people’s 
personal data is proportionate, has a minimal privacy 
impact and is not a surprise to people or they are 


ot likely to object to what you are doing.”. 


iven that legitimate interests in the context of 
direct marketing appears to be an issue that’s poorly 
understood, it would be especially helpful for there 
o be more examples in the Code of where the 
ommissioner considers the above criteria would or 
ould not be met. 


For example, are there instances of profiling, or 
other types of processing, for example social 
listening for brand monitoring purposes, where likely 
harms to individuals are minimal, that the 
ommissioner considers may be undertaken based 
on legitimate interests - or will the ICO consider that 
in practice these types of activities must always be 


onsent based? 


It would appear that the Code is attempting to 
distinguish between profiling that has a significant 
legal effect (must always consent based), intrusive 
profiling not having a significant effect (must 

onsent based by virtue of not being able to pass the 
legitimate interests test/on fairness grounds) and 
less/not intrusive profiling (may be consent or 
legitimate interests based). It would be helpful for 
his to be explicitly stated with illustrative examples. 


Further, the Code refers to “invisible processing” but 
it does not always follow that the examples of 
invisible processing given in the Code are necessarily 
invisible’ in practice provided sufficient transparency 
information is given. It would be helpful for further 
larification to be given as to what constitutes 
‘invisible processing”. 


How does legitimate he Code currently says that it will be very difficult 
interests apply to direct o pass the balancing test when “collecting and 
marketing (p36) ombining vast amounts of personal data from 
Various different sources”. 
hilst we understand that it may be both context 
and fact-specific, it would be very helpful if the Code 
ere to explain what’s considered to be “vast 
amounts” of personal data and “various sources” of 
personal data in this context. Is the ICO able to 
provide some broad quantification of “vast” and 
“various” in this context, or some specific examples? 
It would be helpful for the ICO to provide some 
recognition in the Code that the effective and 
efficient marketing of products and services by 
businesses is a legitimate interest for businesses, 
leading to broader economic and social benefits. 


How long should we keep 
personal data for direct 
marketing 

purposes? (p42) 


Can we use profiling to 
better target our direct 


he Code gives a good practice recommendation to 
not rely on consent obtained by a third party for 
longer than 6 months. 


e do not think that a 6-month time limit is 
necessarily relevant in all circumstances. This 
is recognised in the current wording of the Code to 
Some extent: “...this may be different in very 
specific cases where the circumstances clearly 


It would, however, be helpful if the recommendation 
ere to specifically recognise there may be cases 
hen a 6-month period would not be appropriate - 

or example where a Price Comparison Website 

generates leads for an annually renewed insurance 
product, and the data subject specifically indicates 


hey want to be contacted in advance of the next, or 
Subsequent, renewals. 


It would assist if there was clarification as to 
hether the Commissioner considers this 6-month 
period should apply to all types of data 
processing with a marketing purpose, or whether she 
onsiders it should apply only to the instigation 
of the messaging and making first contact. 


It would be helpful if there were specific examples to 


illustrate the Commissioner’s position included in this 


he Code references ‘intrusive profiling’ in this 
Section, but this is not a term that’s defined. 


Can we use data 
cleansing and tracing 
services? (p61-63) 


How does direct 


marketing through social 
media work? (p89-92) 


It would be very helpful to understand what factors 
he Commissioner considers would make 

a profiling activity either ‘intrusive’ or ‘not 
intrusive’ together with some specific examples to 
illustrate the point. 


Suppression files can be constructed from a 

business's “gone away” data or through comparing 

Edited Electoral Roll (ERR). It would be helpful if the 

ICO could reference this type of processing within 
his section and confirm the 

likely appropriateness (or otherwise) of undertaking 
hecks to ensure proper suppression based 


on legitimate interests. 


e note that when building lookalike audiences, the 
ode states that it’s likely social media platforms 
and advertisers will be joint controllers. 


It would also be helpful to understand how the joint 
ontroller status applies in practice in this scenario 
and for further clarification as to the respective 
parties’ obligations in relation to the part they 
ypically play in relation to such activity - especially 
around, for example, the provision of transparency 
information. 


What do we do if 
someone objects to our 
direct marketing? (p106) 


Responsible advertisers want to ensure individuals 
are not targeted where they have opted-out of direct 
marketing. 


In such cases, advertisers are able to suppress 
advertising to those individuals on social media 
hannels. This could involve uploading contact 
details to the social media platform in question, 
hich are hashed and matched with the social media 
platform’s data to exclude those individuals from a 
ampaign. 


e understand this type of processing, the purpose 
of which is the suppression of direct marketing, 
onstitutes a direct marketing activity for the 
purpose of the Code. 


ould the ICO clarify whether this type of processing 
Should only ever be undertaken based on a specific 

onsent for the sharing of contact details with the 
named social media platform? 


If so, this would mean that individuals who have 
given a general indication of their wishes not to be 
Subject to direct marketing would not have their 
details shared with social media platforms, and 
herefore would not be excluded when the audience 
is created. 


It would be helpful if this specific point could be 
overed in the Code, with appropriate examples. 


